Posts Tagged ‘Contract’

Nexus 9K –ACI Mode – PART 2

31 May 2017 Leave a comment

Welcome to part 2 of ACI series,  if you want to go through  part 1 of ACI series , here is link for reference

Let’s start with the discussion of new terms related to ACI which will be used further during ACI discussion.



Above Pic tells about the different relation between Tenant and other components. So the first question arise is “What is actually Tenant? “


Customer in service provided environment is same as tenant represent in Nexus-ACI .The terminology is different but concept is same, Tenant may be understood as customer, organization or domain in enterprise.

We will configure different Bridge-Domain, Vrf, Application profile, contract and filter under the Tenant.



VRF can be understood same as the VRF in Service provide J .VRF defines layer 3 address domain, one or more Bridge-domain cane be associated with VRF.So next question comes to mind, what is Bridge-domain?


Bridge-Domain (BD)

Bridge-Domain represent layer 2 domain within fabric construct .Bridge-Domain must be linked to VRF, It is simply a container for subnets.

Consider VRF defining a unique IP address space, that address space consists of multiple subnets .These subnets can be defined in one or more bridge-domain that reference the VRF.

Bridge-Domain are in fact VXLANS (would be discussing the VXLAN in detail on next post), that allows any-to-any communication irrespective whether the communicating devices are on same subnet or not. The Important point to note is that all routing is host based, no need to worry whether devices are in same subnet or whereas in traditional routing, the IP address is important because the routing is based on subnet routing. Cool Feature J .


Endpoint Groups

EPGs are collection of similar endpoint representing logical grouping of objects that require a similar policy. Endpoints are devices that are connected to networks directly or indirectly.  Endpoint examples include servers, virtual machines, network-attached storage, or clients on the Internet.

An EPG can be statically configured by an administrator in the APIC, or dynamically configured by an automated system such as vCenter or OpenStack


Policy always applies to EPGs, never to individual endpoint.

Case 1: End point within the same EPGs can communicate freely.

Case 2: End point between the different EPGs cannot communicate freely, there is need to contract   between different EPGs. So what is Contract?



Contract can be referred as policy construct defining type of traffic that can be pass between EPGs.. When an EPG consumes a contract, the endpoints in the consuming EPG may initiate communication with any endpoint in an EPG that is providing that contract.

Contract is must for any communication between EPGs .Contract will refer to one or more filters.


Contract has some sub-component

  • Subject : Group of filters that apply to specific application or service
  • Filters : Used to classify traffic
  • Actions: Defines actions, which need to perform on filter ,permit, deny, mark all are actions.


Let’s take an example to understand the contract and its sub-component .Consider a server  for Web services ,let’s call as Web server which might be producing  sub applications such as HTTPS,HTTP,FTP,TFTP and so on. We have requirement to impose different policy on these different sub applications .APIC defines these sub applications or services as subjects. In other words, subjects are combined within contracts to represent the set of rules that define how an EPG communicates with other EPGs.

Filters are further define under subject like access-list for endpoint groups. What operation need to be done on filters is defined by Actions






Application Profile

Application profiles are group of EPGs and the policies that define the communication between the groups. For example, Finance application may require a web server, App server, DB server, and access to outside network to enable application transaction .This application profile contain all the necessary EPGs that are logically bind to provide the application.

A group of physical and virtual server may be grouped together in a single tier or 3 tier application. The communication between these 3 tier is necessary to make up complete application, This complete application definition is known as Application profile.



It is necessary to create filters within our tenant that will be utilized by the contract. These contract will be used by different EPGs to complete 3 tier application profile.

We are all most done with the major terms or components involved .Hope this post have help you to get basic insight of different components of ACI.

Smiles 🙂



Categories: SDN Tags: , , , , , ,
%d bloggers like this: